Nearly 7 Million Dropbox Passwords Have Been Hacked

Nearly 7 million Dropbox usernames and passwords have been
hacked, apparently via third-party services that hackers were
able to strip the login information from.

The Next Web was the first to notice the leak on a site
called Pastebin, where hackers have already leaked about 400
accounts. The hackers promise to release more accounts in return
for Bitcoin donations. The hackers claim to have over 6.9 million
email addresses and passwords belonging to Dropbox users.

In a statement, Dropbox denied it was hacked:

Dropbox has not been hacked. These usernames and passwords were
unfortunately stolen from other services and used in attempts to
log in to Dropbox accounts. We'd previously detected these
attacks and the vast majority of the passwords posted have been
expired for some time now. All other remaining passwords have
expired as well.

That means Dropbox has already expired the 400 logins that have
been leaked so far. But it's unclear if the logins of the nearly
7 million other Dropbox users the hackers claim to have are still
safe. A Dropbox spokesperson told Business Insider that Dropbox
consistently expires passwords for accounts that are being
attacked, but could not provide a number of accounts expired
recently. That means it's possible that there are nearly 7
million other Dropbox accounts still vulnerable.

It's a similar response to the one Snapchat had when
hackers were able to obtain about 100,000 photos from the
service through a third-party app. Snapchat claimed its servers
weren't hacked, but the servers of a third-party app designed to
save Snapchat photos were.

The real problem in both cases appears to be the way popular
services allow users to log in. Even though Dropbox's own servers
weren't hacked, the service still allows third parties access.
It's also possible for hackers to hack other sites and cross
reference the login information with services like Dropbox since
many people use the same logins for multiples services. Those
third parties have become the target for hackers to obtain
personal information. Assuming the hackers do have the login
information for 7 million Dropbox accounts, it's unclear how they
were able to associate that information from a third-party
service and apply it to Dropbox. A Dropbox spokesperson couldn't
elaborate.

This is an alarming trend.
Services like Dropbox, Snapchat, and Apple have pushed blame on
users and other third parties following recent hacks when it's
clear they're not doing enough to scrutinize the kinds of apps
that have access to their platforms or guarantee users their
logins won't be "expired" of their information is
compromised.